Testing signatures from the command line

Showing 1-2 of 2 messages
Testing signatures from the command line Christopher Piggott 11/10/11 8:25 AM
Hi,

I am trying to verify signatures from the command line, just as a
test.  Steps I took:

1) generate the key with:
   openssl req -x509 \
        -nodes \
        -days 365 \
        -newkey rsa:1024 \
        -sha1 \
        -subj '/C=US/ST=NY/ [ other stuff ]' \
       -keyout privatekey.pem \
       -out certificate.pem

2) upload certificate.pem into google domain manager

3) make a request, and capture the verification.  Google says it has
signed  17 fields:

op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle,ns.ext1,ns.ext2,ext1.mode,ext1.type.firstname,ext1.value.firstname,ext1.type.email,ext1.value.email,ext1.type.lastname,ext1.value.lastname,ext2.auth_time,ext2.auth_policies

4) In the exact same order as listed above, put all those fields in
the Key-Value Form Encoding format.  I'm going to obscure what it
actually returned, but basically show you the idea of what this looks
like below:


openid.op_endpoint:https://www.google.com/accounts/o8/ud
openid.claimed_id:https://www.google.com/accounts/o8/id?
id=AItOawl8qQCzsiDX??????????????????
??
openid.identity:https://www.google.com/accounts/o8/id?
id=AItOawl8qQCzsiDX??????????????????
??
openid.return_to:https://something.secret.com/login/google/verify
openid.response_nonce:2011-11-09T21:40:31ZnsyZoEk0ukfVDQ

...

There are a total of 17 of these, each line ends in \n.

4) Google sent me an openid.sig ... I turned this into hex by doing
this:

    echo $SIGNATURE | base64 -d | hexdump -v -e '/1 "%02X "'

and I ended up with 20 bytes (160 bits) which matches an SHA1
signature, which is what I expected.


So here's the question.  Can I use the Key-Value Form Encoding file
that I created, and the privatekey.pem file, to verify the signature
myself using

    openssl dgst -hmac (something) ?

I haven't figured it out yet, but it seems like there must be a way.



Re: [google-federated-login-api] Testing signatures from the command line John Bradley 11/14/11 6:02 AM
OpenID 2.0 uses symmetric HMAC signatures.  

I don't know what the RSA key is for in your example.

You must perform an association call and get a secret and association handle first.

The association handle must be part of the request.

You then perform a HMAC SHA1 verification of the response using the body and the secret.

The openID 2.0 spec provides the information.
http://openid.net/specs/openid-authentication-2_0.html

So the answer is no the pem file has nothing to do with the openID signature.

John B.

> --
> You received this message because you are subscribed to the Google Groups "Google Federated Login API" group.
> To post to this group, send email to google-federa...@googlegroups.com.
> To unsubscribe from this group, send email to google-federated-login-api+unsubscribe@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/google-federated-login-api?hl=en.
>